FireEye Finds Chinese APT Group Attacked Hong Kong Media Outlets

Group lured journalists with decoy documents about newsworthy events and abused Dropbox for communications

FireEye, the leader in stopping today’s advanced cyber attacks, today released the results of its research into a recent campaign carried out by a Chinese cyber threat group–referred to as “admin@338″ –targeting Hong Kong-based media organizations.

In August, the group sent spear phishing emails about newsworthy developments with malicious attachments to Hong Kong-based media organizations, including newspapers, radio, and television outlets. One email referenced the creation of a Christian civil society organization to coincide with the anniversary of the 2014 protests in Hong Kong known as the Umbrella Movement. Another email referenced a Hong Kong University alumni organization that fears votes in a referendum to appoint a Vice-Chancellor will be co-opted by pro-Beijing interests.

The group employed malware called LOWBALL which abuses Dropbox, a legitimate cloud storage service, for command and control purposes. When FireEye researchers alerted Dropbox to the group’s activities, Dropbox promptly blocked the access token used by LOWBALL. In doing so, Dropbox disrupted the group’s command and control capabilities in all observed versions of the malware.

FireEye has observed targeted attacks by multiple Chinese threat groups on journalists at international and domestic media organizations in Asia. These attacks have often focused on Hong Kong-based media, particularly those that publish pro-democracy material. Journalists located in Taiwan, Southeast Asia, and elsewhere in the region have also been targeted.

“Journalists in Asia are routinely subject to these targeted cyber attacks. They are dependent on information from many different sources, which makes them easy to target. The information journalists have and the identity of their sources can be valuable intelligence. Without adequate technological defenses, they make easy victims,” said Bryce Boland, chief technology officer for Asia Pacific at FireEye.

FireEye has tracked admin@338’s activity since 2013. The group has largely targeted organizations involved in financial, economic, and trade policy. FireEye first observed the group targeting media outlets in April 2015.

The group’s previous activities against financial and policy organizations have largely focused on spear phishing emails written in English, destined for Western audiences. This campaign, however, is clearly designed for those who read the Traditional Chinese script commonly used in Hong Kong.

In April, FireEye released a report on APT30, a Chinese-linked group which waged a decade-long cyber espionage campaign on Southeast Asia and India. APT30 also targeted journalists, but FireEye has not observed any direct links between that group and admin@338.